Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 and Windows Azure Site-to-Site VPN

Hi all,

I'm trying to set up a site-to-site VPN connection between my ASA 5505 (ASA 9.1(4) and ASDM 7.1(3)) and Windows Azure. For the configuration of the connection Microsoft supplies a configuration script (see below, IP and shared key removed) which sets up all the connection and encryption settings.

! Microsoft Corporation

! Windows Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.

! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------

! ACL and NAT rules


! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.

! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.

object-group network azure-networks



object-group network onprem-networks



access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks

nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks

! ---------------------------------------------------------------------------------------------------------------------

! Internet Key Exchange (IKE) configuration


! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase

! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If

! that happens to conflict with an existing policy, you may choose to use a different policy #.

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800


! ---------------------------------------------------------------------------------------------------------------------

! IPSec configuration


! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick

! mode security association.

crypto ipsec transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------

! Crypto map configuration


! This section defines a crypto map that binds the cross-premise network traffic to the

! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If

! that happens to conflict with an existing crypto map, you may choose to use a different ID #.

crypto map azure-crypto-map 10 match address azure-vpn-acl

crypto map azure-crypto-map 10 set peer

crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set

crypto map azure-crypto-map interface outside

! ---------------------------------------------------------------------------------------------------------------------

! Tunnel configuration


! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key

! value used for Phase 1 authentication. 

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key abcdefghijklmnopqrstuvwxyz123456


! ---------------------------------------------------------------------------------------------------------------------

! TCPMSS clamping


! Adjust the TCPMSS value properly to avoid fragmentation

sysopt connection tcpmss 1350


I ran this script succesfully and I checked the settings in ASDM. However I keep getting the error that UDP 500 is blocked:

Deny inbound UDP from to on interface outside

I'm quite new to Cisco firewalls and am looking for a fairly dummy proof way to allow the different protocol settings required (isakmp, NAT-T, L2TP, ESP) from the Azure gateway ( to my outside ip address (

Any help would be appreciated!

Everyone's tags (1)
New Member

Please try to deploy ACL

Please try to deploy ACL inbound and outbound

and as per your deny message, permit it from internal network to external network

and vice versa.


The error is self-explanatory.